Record-setting Cyber Theft Stirs Questions on Security

August 18, 2009 at 12:00 AM EDT

Loading the player...

The Justice Department indicted three men on Monday for stealing more than 130 million credit and debit card numbers by hacking into the computer systems of five major companies. Cyber-securiity experts discuss the case with Ray Suarez.

RAY SUAREZ: It’s a case the Justice Department is calling the largest credit and debit card data breach in U.S. history. Twenty-eight-year-old Albert Gonzalez and two Russian co-conspirators are charged with stealing more than 130 million card numbers between October 2006 and May 2008.

It’s a record-setting breach, breaking the previous mark held, federal prosecutors say, by the same Albert Gonzalez. The Miami man was already in federal custody. He previously had been charged in identity theft cases involving the restaurant chain Dave & Buster’s and the retailer T.J. Maxx.

With this latest cybersecurity breach, consumers are asking themselves, how safe is my financial information?

For some answers, we turn to Kim Zetter. She’s been covering this story for Wired.com. And Rosetta Jones, she’s vice president for corporate relations at Visa.

Kim Zetter, how does the government say Albert Gonzalez did what they’re saying he did?

KIM ZETTER, Wired.com: Well, he worked with some co-conspirators who — they chose their targets by looking at Fortune 500 company lists. And once they found their target, they did sort of reconnaissance to find out what kind of processing system they used for processing their credit and debit cards. Once they knew that, they were able to look at what kind of vulnerabilities might exist in the system.

In the case of Heartland and Hannaford and 7-Eleven, I think we know that they used a SQL injection attack on all of them. And a SQL injection attack is a pretty kind of standard attack that can be prevented if the server is configured correctly. And in these cases, it’s showing up over and over again that many companies aren’t configuring their servers correctly.

RAY SUAREZ: So they did the digital equivalent of casing these places before trying the attack?

KIM ZETTER: Yes, exactly. In some cases, they went onto the Web site of the company, and the Web sites gave them information that helped them infiltrate the companies. The Web sites can tell them what kind of processes they’re using and that kind of thing.

And in the case of Heartland, you know, Heartland is a credit card, debit card processor, so it’s sort of the middleman between retailers and banks. And so if you hit a processor like that, then you’re getting millions of cards, as they did in this case.

RAY SUAREZ: Rosetta Jones, the program, according to the government, that these fellows were using burrowed into the systems and then started exporting the data they were finding there to places outside the United States, to some places inside the United States, but also to Latvia, Russia, the Netherlands. Why?

ROSETTA JONES, Visa: Your question was why they were exporting data?

RAY SUAREZ: Well, why to those places? Is it harder to investigate, harder to prosecute once you ship the data off to somewhere else in the world?

ROSETTA JONES: We think there’s ample opportunity for the government to be involved to help international cooperation in catching the criminals. We think that is an important opportunity and a significant area where the government can be involved.

RAY SUAREZ: Have the two sides been learning from each other, the hackers and the institutions that are trying to fend off these attacks? Do they look for breaches and then exploit them and then your side tries to build new defenses?

ROSETTA JONES: Well, I think, as long as card data remains valuable, criminals are going to continue to seek that information. What we have to do as an industry is to work with financial institutions and with merchants to protect that card information. And we have to make sure that they’re adhering to strict industry data security standards.

I think as an industry we also have to explore new ways to make that card data not valuable to criminals. And we’re looking at things like the introduction of dynamic data into the transaction. We think that has a good opportunity to help prevent fraud.

Background of a hacker

RAY SUAREZ: Kim Zetter, Albert Gonzalez was already known to federal law enforcement before he was arrested, wasn't he?

KIM ZETTER: Before he was arrested this time? He's already in custody at this point, but, yes, he was known -- he's been known to authorities since at least 2003. He was arrested in 2003, and authorities discovered that he was the top administrator on a carding forum called ShadowCrew. It's basically an online community or was an online community where credit card thieves gathered and sold their goods.

And when they arrested him and found out that he was administrator, they flipped him to become an informant for them, and he worked out of the Secret Service New Jersey office from I think it was about late 2003, early 2004, until they brought down ShadowCrew in October 2004.

And he convinced the carders on that forum to use a special virtual private network for communicating, and that network was controlled by the Secret Service, so they were able to read all the communications that was going through there.

When the bust was over, he went back to his criminal ways, and he changed -- his online nick at that point was "Cumbajohnny," and he changed it to "Segvec," and he continued to commit crimes as "Segvec," and authorities were actually chasing this person named "Segvec" without knowing that he was the former informant for the Secret Service. And then he...

RAY SUAREZ: While he was working as an informant, was he learning things that he could then turn around and use against places like card processing services and retailers?

KIM ZETTER: He probably was. And of course, he was making connections during that point, as well, because also on ShadowCrew and other forums that were connected to it were, you know, Russian criminals from the Russian hackers. And those are, you know, pretty much the top ones in this field, are coming from Ukraine and Russia.

And in this case, on the indictment that came down yesterday, there are two unnamed Russian co-conspirators who helped him hack into the systems. So those connections were probably made at that period and thereafter, as well.

Fraud rates

RAY SUAREZ: Rosetta Jones, are there a lot of people who know how to do this? Would it be happening more often if this wasn't such highly technical work?

ROSETTA JONES: Well, I think what you have to keep in mind is that, although you might read about hundreds of millions of accounts being compromised, that we know from our investigations less than 5 percent of those accounts are ever used fraudulently.

So while criminals might be trying to seek this information, the industry, Visa, and financial institutions are able to reduce fraud through effective monitoring of fraudulent transactions in the system.

And the fraud rate within Visa is actually at historic lows. It's just 6 cents out of every $100 transacted, and that's about half of what it was 10 years ago.

So, yes, we have more work to do to protect card information, but we know as an industry we're doing a good job at keeping fraud at bay.

RAY SUAREZ: So there's less fraud today than during the old days of running a card through one of those pressing machines and having carbon copies?

ROSETTA JONES: Today, using credit and debit cards remain one of the safest way to pay, especially over cash and checks. It's just the reality. Zero liability today exists for cardholders, so if there is fraud on your account, that you do not have to pay for that fraud. That's a protection that exceeds cash and checks.

Protections for consumers

RAY SUAREZ: But if you're reading the news and you see that there's been this latest breach, what can you be doing in your own interest? What should you be doing to protect yourself and check that your identity isn't being stolen, that your information isn't being used fraudulently?

ROSETTA JONES: Well, I think, first and foremost, again, it's important to remind consumers that you have important protections with using credit and debit cards. Zero liability is one of them.

But, of course, consumers should always monitor their accounts. We encourage consumers to have online banking and check their accounts real time and check their statements for fraudulent activity, and if they notice anything suspicious, to call their financial institution right away.

RAY SUAREZ: Kim Zetter, what do you think about the position of the consumer? Are people more vulnerable than they realize? Or, as you just heard Ms. Jones suggest, really the problem is with the credit card companies and they're the ones bearing the cost?

KIM ZETTER: Yes, I mean, I should point out that consumers, at least in the case of credit cards, we know there's zero liability. What's happening to our debit is that debit cards are being taken, as well. And, of course, when a debit card is stolen and, in some cases, PIN numbers are being grabbed, as well, then, you know, it allows an attacker to basically drain your bank account.

And in some cases, we're finding that consumers, it's not so easy for them to get that money back. They have to prove that they didn't use the card in many cases, and it can take months. In some cases, people aren't getting it back if it's, for instance, a business account instead of a personal account.

But, you know, I want to point out that even if consumers have zero liability, retailers are the victims in this, as well as the banks, the card issuers who have to reissue, you know, millions of new cards to customers whose numbers have been breached.

And there are lawsuits because of this, you know, against Heartland, TJX. You know, when they have unsecured systems that are breached, the cost, you know, is passed down to the retailers for the fraudulent transactions and then also for the people who have to reissue the cards.

RAY SUAREZ: We'll have to end it there. Kim Zetter, Rosetta Jones, ladies, thank you both.

PBS NewsHour allows open commenting for all registered users, and encourages discussion amongst you, our audience. However, if a commenter violates our terms of use or abuses the commenting forum, their comment may go into moderation or be removed entirely. We reserve the right to remove posts that do not follow these basic guidelines: comments must be relevant to the topic of the post; may not include profanity, personal attacks or hate speech; may not promote a business or raise money; may not be spam. Anything you post should be your own work. The PBS NewsHour reserves the right to read on the air and/or publish on its website or in any medium now known or unknown the comments or emails that we receive. By submitting comments, you agree to the PBS Terms of Use and Privacy Policy, which include more details.